For example, the Biba model is now hanging out in current versions of Windows. Things downloaded from the Internet are tagged as such. Internet (low) stuff can't alter user (medium) stuff which isn't allowed to write to system (high) objects. Inevitably, this kind of fades away as the end user just starts clicking yes every time the dialog pops up, but at least the framework exists...

In 15 years working in security across various industries I have not seen any non-government use of the classic Orange Book. Financial services care about non-repudiation, health services care about integrity and availability, pharma cares about confidentiality. They just focus controls on single aspects in a very broad brush way. In some cases this is much better than a bad implementation of Biba, for example, but you have to think there must be mileage in doing this correctly.
–
Rory Alsop♦Apr 5 '11 at 19:36

3 Answers
3

Maybe not so much as in the formal definitions, but the more generic Mandatory Access Control, and the subsets of no-write-up etc, are sometimes used, in combination with other models, as part of a more complex authorizations scheme, usually in custom business applications.

The need to differentiate permissions based on a strict hierarchical model, and/or persist the current "state", does occur in complex business systems, albeit not often.

I would also point out that XACML can support this too (even if kinda indirectly).

The techniques are also sometimes "used" in some risk analysis excercises (e.g. tracing possible data flow violations of these expectations).

Besides, as you mentioned, a similar form is being implemented in current OSs - Windows, and also SELinux as @D.W. mentioned - so yeah, it seems to be generally applicable, and becoming very common.

Generally speaking, those models tend not to be used exactly as-is. The problem is that very quickly "everything becomes low", because everything depends (through some long chain of dependencies) on something you got over the Internet. As a result, you got a lot of false positives or annoying dialogue boxes.

However, there are widely-used systems which are partly based upon the ideas found in those models. You mentioned Windows. Another example is SELinux, which is widely deployed on Fedora Linux machines. A third example (more loosely related) is taint tracking, which is used to detect vulnerabilities and protect systems against data-driven attacks. Taint tracking is conceptually to the Biba model: untainted data is "high", tainted data is "low", and anything that depends upon tainted ("low") data is also tagged as tainted ("low").

So while the models have largely proven to be unworkable in their originally envisioned form (for general-purpose computing), less restrictive variants have had some impact.

In a previous life, my company had customers who didn't trust each others, and wanted to have private per-customer labs and blacker boxes on their communications lines.

We, on the other hand, wanted to transfer our software to the lab machines from our network, and get some few things back, such as amended control files for the tools. The control files were effectively a high-level language, so we wanted to keep all the labs up to date with the newest versions.

My boss therefor sent me off on a week-long Trusted Solaris course, and to brutally oversimplify, the plan became to keep the tools at UNCLAS and the customers' data in different categories at RESTRICTED.

Much later we realized we only needed categories, one each for the customers and one for us.

We didn't do a lot with the scheme, but I ran Trusted Solaris 7 on a home machine for a number of years, until the boot disk started to die.

I think this could be done more elegantly and simply with SELinux (flask), but I need to read more before I commit to that being the case...